GDPR4All
Sign inFree Assessment

Vendor Management

Maintain your vendor register, track DPAs, assess compliance, and manage sub-processors

7 min readUpdated 26 February 2026
Client AdminCompliance OfficerDPO

Most organisations do not process personal data in isolation. They use cloud providers, payment processors, email services, analytics tools, and countless other third-party vendors — many of which process personal data on their behalf. Under the GDPR, if a vendor processes personal data on your instructions, they are a "processor" and you are the "controller". Article 28 requires you to have a written contract with every processor and to ensure they provide sufficient guarantees of compliance.

GDPR4All's Vendor Management module gives you the tools to maintain a comprehensive vendor register, track Data Processing Agreements (DPAs), conduct compliance assessments, and visualise your sub-processor chain.

Maintaining a Vendor Register

The vendor register is your central directory of all third-party organisations that process personal data on your behalf. Navigate to Compliance > Vendors to access the vendor hub, which provides an overview of your vendor landscape, or click through to the full vendor list.

Creating a Vendor Record

Click New Vendor to add a vendor to your register. Key fields include:

  • Vendor name — the legal name of the organisation.
  • Description — a brief description of the services they provide and the personal data they process.
  • Contact information — primary contact name, email, and phone number for the vendor's data protection representative.
  • Country — where the vendor is based, which is relevant for international transfer assessments.
  • Status — the current status of the vendor relationship:
    • Active — the vendor is currently providing services and processing data.
    • Under Review — the vendor is being evaluated, either as a new potential vendor or as part of a periodic review.
    • Suspended — the vendor relationship has been temporarily paused, perhaps due to compliance concerns.
    • Terminated — the vendor relationship has ended.
  • Sub-processor toggle — if this vendor is a sub-processor (i.e., they process data on behalf of another vendor rather than directly for you), toggle this option and select the parent vendor. This builds the sub-processor tree.

Vendor Dashboard

The vendor hub page displays four stat cards summarising your vendor landscape:

  • Total vendors — the number of vendors in your register.
  • Active vendors — vendors currently providing services.
  • Expiring DPAs — DPAs that are approaching their expiry date and need renewal.
  • High-risk vendors — vendors whose latest compliance assessment indicates high or critical risk.

Below the stat cards, alert banners highlight any vendors with expired DPAs or overdue assessments, so you can take action immediately.

DPA Tracking

A Data Processing Agreement (DPA) is a legally binding contract between a controller and a processor. It must set out the subject matter and duration of the processing, the nature and purpose, the types of personal data and categories of data subjects, and the obligations of the processor.

Creating a DPA Record

From a vendor's detail page, navigate to the DPA section and click New DPA. Record:

  • Agreement title — a descriptive name for the DPA.
  • Signed date — when the DPA was executed.
  • Expiry date — when the DPA expires and needs to be renewed.
  • Transfer mechanism — if the vendor is located outside the UK/EEA, select the safeguard mechanism in place:
    • Standard Contractual Clauses (SCCs) — the most commonly used mechanism.
    • Adequacy Decision — the destination country has been deemed adequate by the relevant authority.
    • Binding Corporate Rules (BCRs) — approved internal rules for multinational groups.
    • Other — any other valid transfer mechanism.
  • Status — DRAFT, SIGNED, or EXPIRED.
  • Document upload or content — the full text or a reference to the signed agreement.

Expiry Alerts

GDPR4All automatically monitors DPA expiry dates. When a DPA approaches its expiry date, alerts appear:

  • On the vendor detail page — a warning banner on the DPA section.
  • On the vendor list page — an expiry indicator next to the vendor name.
  • On the vendor dashboard — in the expiring DPAs stat card and alert banner.

If a signed DPA passes its expiry date, its status is automatically computed as Expired, even if it was not manually updated. This auto-expiry mechanism ensures you are never unknowingly operating without a valid agreement.

Compliance Assessments

Regular compliance assessments are essential for verifying that your vendors continue to meet their data protection obligations. GDPR4All provides a structured assessment framework with automatic risk scoring.

Conducting an Assessment

From a vendor's detail page, navigate to the Assessments section and click New Assessment. The assessment form includes:

  • Assessment date — when the assessment was conducted.
  • Assessment score — a score from 0 to 100, reflecting the vendor's overall compliance posture.
  • Findings — detailed notes on what was assessed and what was found.
  • Recommendations — suggested improvements or remediation actions.

Risk Scoring

The assessment score is automatically mapped to a risk level:

Score RangeRisk Level
81 - 100LOW
61 - 80MEDIUM
41 - 60HIGH
0 - 40CRITICAL

When you save an assessment, the vendor's overall risk level is automatically updated to reflect the latest score. This means your vendor register always shows the most current risk picture.

Assessment History

All assessments are preserved in the vendor's history. The assessment list displays:

  • The date of each assessment.
  • The score achieved.
  • A visual score bar showing the score relative to 100.
  • Trend arrows — indicators showing whether the score has improved, declined, or remained stable compared to the previous assessment.

This history makes it easy to track whether a vendor's compliance posture is improving or deteriorating over time.

Sub-Processor Tree

Article 28(2) of the GDPR requires processors to obtain the controller's written authorisation before engaging sub-processors. Managing sub-processor chains can be complex, especially when your vendors themselves use multiple third-party services.

GDPR4All's Sub-Processor Tree provides a visual representation of your vendor hierarchy. If Vendor A uses Vendor B as a sub-processor, and Vendor B uses Vendor C, the tree shows this chain clearly:

Your Organisation
  └── Vendor A (Cloud Provider)
        └── Vendor B (Data Centre Operator)
              └── Vendor C (Backup Service)

Each node in the tree displays the vendor's name, status, and risk level, giving you a complete picture of your processing chain at a glance.

To set up sub-processor relationships, use the sub-processor toggle when creating or editing a vendor record and select the parent vendor from the dropdown.

Termination Guards

When a vendor relationship ends, you may want to change the vendor's status to Terminated. However, GDPR4All enforces an important safeguard:

You cannot terminate a vendor that has active sub-processors.

If Vendor A has Vendor B listed as an active sub-processor, you must first terminate or reassign Vendor B before you can terminate Vendor A. This prevents orphaned sub-processor relationships and ensures your vendor register remains accurate and complete.

The platform displays a banner on the vendor detail page when this guard is active, explaining which sub-processors need to be addressed before termination can proceed.

Tips for Effective Vendor Management

  • Review vendor compliance annually — do not assume that because a vendor was compliant when you first engaged them, they remain so. Schedule annual assessments and document the results.
  • Ensure DPAs are signed before sharing data — never begin sharing personal data with a vendor until a DPA is in place. This is a legal requirement under Article 28, and operating without a DPA is a significant compliance gap.
  • Monitor DPA expiry dates — set up a regular review cadence and use GDPR4All's expiry alerts to ensure DPAs are renewed before they lapse.
  • Know your sub-processor chain — you are responsible for the actions of your processors and their sub-processors. Use the sub-processor tree to understand who has access to your data and ensure appropriate safeguards are in place at every level.
  • Act on assessment findings — assessments are only valuable if you follow up on the findings. When an assessment reveals compliance gaps, document the required improvements and set a date for re-assessment.
  • Consider international transfers — if a vendor is based outside the UK or EEA, ensure you have an appropriate transfer mechanism in place and that it is documented in the DPA. The GDPR's transfer restrictions apply regardless of how reputable the vendor is.
  • Link vendors to your ROPA — your ROPA should reference the vendors involved in each processing activity. This creates a complete picture of your data flows and makes it easier to assess the impact of vendor changes.

Vendor management is an ongoing responsibility, not a one-time exercise. GDPR4All ensures you have the visibility and tools to manage your vendor relationships proactively and in compliance with the GDPR.

Related Articles

International Data Transfers

Transfer mechanisms explained — adequacy decisions, SCCs, BCRs, and derogations

7 min read· Updated 26 Feb 2026

Records of Processing Activities (ROPA)

How to create, manage, and export your processing activity records under Article 30

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

DPIA Workflows

Create Data Protection Impact Assessments, evaluate risks, and manage the approval workflow

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

Training Academy

Next

Reports & Alerts